Kryptonite’s implications

The Kryptonite story is pretty played out right now although more stories about other tubular lock vulnerabilities (via) will surely pop up. There’s a lot to be learned by reflecting just on what happened to Kryptonite.
About two weeks ago videos of someone opening a Kryptonite bike lock using a Bic pen in 30 seconds showed up online. A lot of people were incredulous, which is great, but they were easily able to replicate the experiment and news quickly spread. When the New York Times writes about security flaws, it’s no longer the domain of locksmiths. Kryptonite is doing the Right Thing™ and replacing vulnerable locks.
The computer security world has been wrestling with full disclosure since day one. Full disclosure claims that the best way to report a security flaw is to make the report public and include a way to replicate the flaw.
The argument for full disclosure is that malicious hackers will find out about the code anyway, so they gain very little. Also, people are best able to protect their systems when they can see the full impact of the flaw on their own and vendors have a history of needing to be shamed into fixing problems. The argument against is that by showing the public how to replicate the flow, malicious hackers can now exploit it with ease.
Apparently the Kryptonite flaw has been known since at least 1992 (via) and is only being fixed now. Why so long? Until now Kryptonite hasn’t been shamed publicly for the flaw. Meanwhile people have had their bikes stolen because they treated their lock as secure, until they found out that their bikes weren’t safe and haven’t been safe for at least 12 years.
The video was the equivalent of exploit code in computer security, and accomplished the aims of full disclosure. People found out what bike thieves already knew, were able to protect themselves, and the vendor is finally addressing the issue.
Another important parallel is with DRM and the DMCA (thanks to getlucky for the idea). I know it’s a Slashdot cliché to apply the DMCA to anything and everything, but there’s actually a good parallel here. Let’s pretend that the law treated the Bic pen vulnerability the way it treats decrypting DVDs.
First, the person who discovered the flaw has his home raided by police and goes through two trials in as many years. Next, everyone linking to the video is sued, although the New York Times is spared. Finally once all the lawsuits had gone through their motions, Kryptonite congratulates itself on a job well done. Of course the don’t fix the lock, but since it can silence anyone who talks about how to break the lock they don’t need to.
To see how the DMCA affects computer security, the Kryptonite saga is a great metaphor. A lot has been said about leaky abstractions, and most of it applies in this instance. For instance people using Bic pens to open bike locks generally don’t own the bike; people decrypting DVDs generally own the discs.
Laws like the DMCA, in fact all intellectual property laws, rely on metaphors and don’t address the fundamental differences between physical objects and ideas directly. These laws pretend that ideas are physical objects and subject to physical constraints, but strain so hard in doing so that the absurdity is clear when you try to map a law like the DMCA back onto a physical counterpart like a bike lock.
I like to think that I’m on the tail end of the last generation that treats ideas as abstractions. The internet forces people to deal with ideas as they are instead of tied to physical objects like paper or vinyl. The kids right now, the kids who will take the internet as a given for the rest of their lives, they have the best chance of interacting with ideas without abstraction.